DOI

Data loss, i.e. the unauthorized/unwanted disclosure of data, is a major threat for modern organizations. Data Loss Protection (DLP) solutions in use nowadays, either employ patterns of known attacks (signature-based) or try to find deviations from normal behavior (anomaly-based). While signature-based solutions provide accurate identification of known attacks and, thus, are suitable for the prevention of these attacks, they cannot cope with unknown attacks, nor with attackers who follow unusual paths (like those known only to insiders) to carry out their attack. On the other hand, anomaly-based solutions can find unknown attacks but typically have a high false positive rate, limiting their applicability to the detection of suspicious activities. In this paper, we propose a hybrid DLP framework that combines signature-based and anomaly-based solutions, enabling both detection and prevention. The framework uses an anomaly-based engine that automatically learns a model of normal user behavior, allowing it to flag when insiders carry out anomalous transactions. Typically, anomaly-based solutions stop at this stage. Our framework goes further in that it exploits an operator's feedback on alerts to automatically build and update signatures of attacks that are used to timely block undesired transactions before they can cause any damage.

Original languageEnglish
Title of host publicationProceedings - 2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages324-333
Number of pages10
ISBN (Electronic)9781509008247
DOIs
StatePublished - 1 Aug 2016
Event2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016 - San Jose, United States

Conference

Conference2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016
CountryUnited States
CitySan Jose
Period23/05/1625/05/16

    Research areas

  • data loss, detection, prevention, white-box anomaly detection

ID: 32864140